Longstanding privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA) have been subject to numerous changes under the HITECH Act. The U.S. Department of Health and Human Services published Jan. 25 yet another final rule under the HITECH Act to enhance patient privacy protections, give individuals new rights to their health information and strengthen the government’s ability to enforce the law.

The final rule will require all HIPAA-covered entities, including physician practices, to further amend their HIPAA compliance programs no later than Sept. 23, 2013. Most HIPAA-covered entities will also be afforded an additional one-year transition period to get business associate agreements updated to comply with these new requirements.

To prepare, medical practices must get busy updating HIPAA policies and privacy notices, communicating with business associates about new obligations and training staff. The ISMA is planning educational seminars; continue reading ISMA Reports for dates and locations. You are advised to work with your legal counsel to update documents and implement changes before the compliance deadline, but here is an introduction to some modifications announced last month.

Business associate expansionHIPAA security provisions will now apply directly to business associates having access to protected health information (PHI). That includes entities like health information exchanges, e-prescribing gateways, and data transmission and shredding services. Subcontractors of your business associates with access to PHI will be considered business associates themselves. The rule defines a business associate as “…any person who creates, receives, maintains or transmits PHI on behalf of a covered entity….”

Krieg DeVault’s Susan Ziel explained in a recent webinar, “Business associates must now enter into written agreements with any subcontractors. Additionally, all business associates and their subcontractors are required to comply with certain HIPAA privacy and security obligations, and will be subject to enforcement just like a covered entity.”

Certain exceptions still exist; however, the final rule confirmed that PHI exchange between HIPAA-covered entities for treatment purposes does not require a business associate agreement.

More about breachesThe definition of a “breach” was modified so that any impermissible use or disclosure of unsecured PHI is presumed to be a breach. The previous “low risk” harm standard for determining whether breach notification is required was replaced with a new PHI “risk of compromise” standard.

Specifically, HIPAA-covered entities must now assess the risk that unsecured PHI (and unencrypted Limited Data Set) was compromised. The final rule confirms that the best practice is to use effective encryption and destruction standards to properly secure PHI whenever possible.

During her recent webinar, Ziel asked, “Do you have a clear and concise minimum necessary standard that your employees truly understand?” If not, the result could be unauthorized access or use of PHI that could be a breach incident, an issue HHS discussed in the final rule.

“Be specific in stating what PHI access and use is proper, by job category, to avoid any confusion that could result in a breach,” said Ziel.

Patient rights to recordsWhile patients previously had a right to their PHI, the new rules give patients the right to their PHI in the form and format they request – to go to whomever they request in writing – within 30 days. Practices may charge for labor and supplies and may request a one-time 30-day extension in writing.

Additionally, patients who pay for services from their own pockets now have the right to direct their health care providers NOT to disclose certain information to their health insurance plans. But, if a medical practice is required by law to submit a claim, such a patient request cannot be honored.

...and much moreThe final rule confirms four levels of violation that can result in severe civil money penalties, subject to a $1.5 million cap. The most serious penalties will apply to HIPAA-covered entities and business associates who willfully neglect the rules and do not implement corrections in a timely manner.

Other amendments pertain to marketing and fundraising practices and prohibit the sale of PHI without permission. Statutory changes under the Genetic Information Nondiscrimination Act also clarify that genetic information is protected under HIPAA and prohibit most health plans from using or disclosing genetic information for underwriting purposes.